If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Do you have register_globals on? I think to do it like that you need register_globals on, unless you didn't include some code where you set $file_id = $_GET['file_id']. Otherwise, make all occurences of $file_id in your code $_GET['file_id'].

However, I have a question (which I am unable to try out for myself at the moment) - if you used this method to download a file, would you be able to work out the actual location of the file by sniffing and inspecting the packets with Wireshark?

That's a good question, and I believe the answer is no. I remember trying that once and that header you're returning looks very familiar. The reason I tried it is because I use command line with wget on nix, and I was looking for URLs in a normal browser on windows, then typing them out on my linux box. And I couldn't get a direct path to a file that used something that was very similar, if not the same thing as what you describe.

f you used this method to download a file, would you be able to work out the
actual location of the file by sniffing and inspecting the packets with Wireshark?

The answer, indeed, is no. The reason:

1. The client himself has no access to the unparsed php-script, and thus to $path

2. After parsing the php-script, there is no information left in the generated data
(which is sent to the client) of $path. Basically, you are creating your own
http-"application-packet". You could look at it simply with burpproxy[1].

3. there is no information in lower layers about the path of the file.

However, there might be a way to obtain the information - namely in the file, which
you send, itself. Assume you are sending a word-document with the filepath-variable set ...

Thanks to both of you! sec_ware, you have a very good point - there are no fields in the header which display the location of the file, and so any collected packets wouldn't show up anything useful.

Luckily, I modified the script beforehand to make sure this wasn't possible (although I wasn't sure if there was another method through which it could be obtained). The script previously read:

PHP Code:

header("Content-Disposition: attachment; filename=".$path.";");

I then added the constant '$filename', and put that as the filename instead, because before any downloaded files would have the filename 'dir1-dir2-filename' (eg. 'data-Abstract.zip'), which gave away the original path